SCCM – Use CM Discovery to Monitor Active Directory User Accounts

Here are some reports that I’ve created to help our technical support team with the management of users accounts in active directory. This allows them to get the following information about users (also note that this has been tested in a single AD (DFL 2003) domain and Sccm 2007 sp2);

So the first report will give you a count of users by  status, Enable, Disable, Password Set to never Expired, Account Expired and Stale Account ( which as exceed their threshold of 90 days). Also, with the ability to get a list of all user accounts with a specific status, ex; all expired Account or All users account with password set to never expired.

And the second report will count users by OU, with the ability to drill down and get the users informations in the selected OU and then get the group membership by Users.

First Report;

Count user accounts in a specific state

All Users in a specific state

Second Report;

User Accouts by OU

All Users in the selected OU

Group Membership for a selected user

So here’s the queries

FirstReport, (contains queries for the two reports)

SecondReports, (contains queries for the three reports)


**** user discovery must be enable with all these attributes ****



6 thoughts on “SCCM – Use CM Discovery to Monitor Active Directory User Accounts

  1. Rich

    This is great, but you don’t say how to implement it. Which parts of which files are queries, and which are reports? Do we create links in the report, if so, to what? Also, in the first query, just by looking at the query, I can tell that the Enabled, and Disabled accounts are backwards. It is very unclear what you mean by first report (which has two reports in it), and second report, (which has 3). And how they all tie together to make a usable tool. What does the math mean in the first report? How could we customize it to say like 60 days?


  2. Rich

    More ambiguities. Can you drill down into the first report? If so, how do you link it? You also say you can get lists of all user accounts with a specific status, but do not say how. The Prompt in the first report is configured HOW? It says “no sql query,” but how can that work? Way too vague.

  3. Nate

    These queries call on columns that don’t exist within the given tables (at least not by default). Did you modify the MOF files to collect that information? If so can you give us the class name so we can find it and enable it for ourselves?

    Obivously a lot of work went into this and I thank you as it gives me a great starting point, but in the information’s current state it’s unusable.

    • Simon Brouillard

      Are you using SSRS as Reporting Point? Because, I’ve recently migrated to sccm 2012, so I dont have MOF files available for now… but only RDL files. So, If that can help you, let me know and I will send it to you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s